b'               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n                Passport Personally\n              Identifiable Information\n\n         Management Advisory Report\n\n\n\n\n                                              May 15, 2014\n\nReport Number HR-MA-14-007\n\x0c                                                                             May 15, 2014\n                                             Passport Personally Identifiable Information\n                                                           Report Number HR-MA-14-007\n\n\n\n\nBACKGROUND:\nThis report responds to a request from           customers with adequate privacy when\nU.S. Congressman Duncan Hunter of                processing passport applications. We\nCalifornia regarding a constituent\xe2\x80\x99s             also identified control weaknesses\nconcern that the U.S. Postal Service             relating to transmittal forms and\ncompromised her daughter\xe2\x80\x99s personally            inconsistent passport procedures at the\nidentifiable information (PII) while             district level to address deficiencies the\nprocessing her passport application. PII         DOS identified. These issues occurred\nis information used to determine or trace        due to inadequate training and passport\nan individual\xe2\x80\x99s identity.                        application procedures and conflicting\n                                                 criteria.\nThe Postal Service has more than 5,300\npassport acceptance facilities, which            The DOS identified similar issues\naccepted about 5.3 million applications          regarding the safeguarding of PII and\nand collected passport revenue of more           passport application processing\nthan $133.2 million in fiscal year 2013.         procedures in its reviews of Postal\nThe Postal Service, in conjunction with          Service passport acceptance facilities.\nthe U.S. Department of State (DOS),              We identified about $64 million in annual\nestablished policies and procedures to           revenue at risk if the Postal Service\nensure the security of PII to avoid theft,       does not comply with established\nmisuse, or loss. In addition, the DOS            procedures.\ninspects Postal Service passport\nfacilities every 2 years as part of its          WHAT THE OIG RECOMMENDED:\noversight program.                               We recommended management\n                                                 implement controls to ensure that Postal\nOur objective was to evaluate the Postal         Service personnel complete and\nService\xe2\x80\x99s procedures for protecting PII          document training; provide customers\non passport applications.                        with adequate privacy during the\n                                                 passport application process; ensure\nWHAT THE OIG FOUND:                              transmittal forms are accurate,\nThe Postal Service must strengthen its           appropriately retained, and monitored;\nprocedures for securing and protecting           and ensure consistency of passport\nPII on passport applications. Although           acceptance, compliance, and\nwe found no indication the PII in                procedures to address deficiencies the\nquestion was compromised, Postal                 DOS identified.\nService personnel did not always\nsafeguard passport PII and provide               Link to review the entire report\n\x0cMay 15, 2014\n\nMEMORANDUM FOR:            KELLY M. SIGMON\n                           VICE PRESIDENT, RETAIL CHANNEL OPERATIONS\n\n                           EDWARD F. PHELAN, JR.\n                           VICE PRESIDENT, DELIVERY AND POST OFFICE\n                           OPERATIONS\n\n\n\n\nFROM:                      Janet M. Sorensen\n                           Deputy Assistant Inspector General\n                            for Revenue and Business\n\nSUBJECT:                   Management Advisory Report \xe2\x80\x93 Passport Personally\n                           Identifiable Information (Report Number HR-MA-14-007)\n\nThis report presents the results of our review of Passport Personally Identifiable\nInformation (Project Number 13YG039HR000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Andrea L. Deadwyler, deputy\ndirector, Human Resources and Support, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cPassport Personally Identifiable Information                                                                      HR-MA-14-007\n\n\n\n\n                                               TABLE OF CONTENTS\n\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 2\n\nSafeguarding Passport Personally Identifiable Information ............................................. 2\n\n   Passport Applications, Transmittals, and Supporting Documents ............................... 2\n\n   Customer Privacy ........................................................................................................ 4\n\n   Department of State Acceptance Facility Oversight Reviews ...................................... 5\n\nPassport Application Procedures .................................................................................... 5\n\n   Passport Transmittal Forms......................................................................................... 5\n\n   Passport Acceptance Policies and Procedures ........................................................... 7\n\nRecommendations .......................................................................................................... 7\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 8\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 9\n\nAppendix A: Additional Information ............................................................................... 11\n\n   Background ............................................................................................................... 11\n\n   Objective, Scope, and Methodology .......................................................................... 12\n\n   Prior Audit Coverage ................................................................................................. 12\n\nAppendix B: Other Impact ............................................................................................. 14\n\nAppendix C: Management\xe2\x80\x99s Comments ........................................................................ 16\n\x0cPassport Personally Identifiable Information                                                     HR-MA-14-007\n\n\n\nIntroduction\n\nThis report presents the results of our review of passport personally identifiable\ninformation (PII) (Project Number 13YG039HR000). The report responds to a request\nfrom the office of U.S. Congressman Duncan Hunter of California regarding a\nconstituent\xe2\x80\x99s concern that the U.S. Postal Service compromised her daughter\xe2\x80\x99s PII\nwhen processing her passport application. Our objective was to evaluate the Postal\nService\xe2\x80\x99s procedures for protecting and securing PII on passport applications. See\nAppendix A for additional information about this review.\n\nIn November 2012, a mother and daughter applied for passports at a Post Office in San\nDiego, CA. The mother received her passport in about 10 days; however, unit personnel\nfound the daughter\xe2\x80\x99s application unsecured at the Post Office 23 days after it was\naccepted and personnel at a Tucson, AZ Post Office subsequently misfiled the\napplication for 10 days before redelivering it to the regional passport office. The Postal\nService reimbursed the family for costs associated with the delay in service. The Postal\nService\xe2\x80\x99s Consumer and Industry Contact and the U.S. Postal Service Office of\nInspector General\'s (OIG) Office of Investigations conducted independent investigations\nand found no evidence that the Postal Service compromised the PII in question.\n\nThe Postal Service has been providing passport application acceptance services for the\nU.S. Department of State (DOS) since 1975. Postal Service passport acceptance\nagents1 must follow DOS policies for safeguarding passport applicants\xe2\x80\x99 PII. PII is\ninformation used to determine or trace an individual\xe2\x80\x99s identity, such as a Social Security\nNumber, driver\xe2\x80\x99s license number, or passport number.2 To avoid theft, misuse, or loss,\nauthorized employees must secure and lock PII in a container at all times.\n\nThe DOS inspects Postal Service passport facilities every 2 years as part of its\nAcceptance Facility Oversight (AFO) program.3 In fiscal year (FY) 2013, the DOS\nreviewed 2,954 Postal Service facilities to verify their compliance with key requirements\nfor passport application processing, such as acceptance and information security\nprocedures,4 supplies, and training. When the DOS identifies deficiencies and a facility\ncontinues to be noncompliant, the DOS can recommend suspension or removal of that\nfacility from participation in the passport program.\n\n\n\n\n1\n  Employees who have completed the mandatory passport training and been certified by the DOS to accept passport\napplications.\n2\n  Handbook AS-805, Information Design and Control, Section 3-2.3.2.c, page 37, May 2013.\n3\n  Monitors each acceptance facility\xe2\x80\x99s compliance with established DOS procedures.\n4\n  This section of the AFO program addresses the safeguarding of PII.\n                                                          1\n\x0cPassport Personally Identifiable Information                                                             HR-MA-14-007\n\n\n\nConclusion\n\nThe Postal Service must strengthen its procedures for securing and protecting PII\nrelated to passport applications, but we found no indication that the Postal Service\ncompromised the constituent\xe2\x80\x99s daughter\'s PII. We also identified control weaknesses\nrelating to transmittal forms and inconsistent passport procedures at the district level.\nThe DOS identified similar issues in its AFO reviews of Postal Service passport\nacceptance facilities. The revenue the Postal Service generates for processing\npassports and photographs is at risk if passport acceptance facilities continue to be\nnoncompliant with DOS procedures. We identified about $128 million as revenue at risk\nbased on FYs 2012 and 2013 DOS AFO reviews. See Appendix B for more information.\n\nSafeguarding Passport Personally Identifiable Information\n\nPostal Service passport acceptance agents did not always safeguard passport PII and\nprovide customers with adequate privacy during the passport application process.\n\nPassport Applications, Transmittals, and Supporting Documents\n\nAt the three Postal Service passport acceptance facilities we visited, 5 acceptance\nagents did not always secure completed passport applications6 when they were away\nfrom the retail window. We observed supporting documentation passport customers left\nbehind that was not stored in locked cabinets or drawers. This documentation contained\nPII such as valid passports, birth certificates, and driver\xe2\x80\x99s licenses. We found transmittal\nforms7 with customer names, birth dates, and telephone numbers in envelopes on\ndesktops, in storage rooms, or in cabinets and drawers on the workroom floor, where\nthey were accessible to unauthorized personnel.\n\nThese passport control weaknesses occurred because acceptance agents were not\naware of the requirements to properly safeguard documentation containing PII in a\nlocked file cabinet or drawer8 or there was an oversight. Also, one acceptance agent\nacknowledged she was unaware of the requirements for handling documents left by\npassport customers. During our review, management issued supplemental guidance to\nretail units addressing the safeguarding of PII collected from customers; therefore, we\nare not making a recommendation.\n\nWe found that some personnel were unaware of PII requirements because they may not\nhave completed the required passport acceptance training. Specifically, 65 percent of\n\n5\n  We visited the           Post Office in                  ; the         Post Office in              ; and the\nStation in                 .\n6\n  Form DS-11, Application for a U.S. Passport. Completed passport applications may include a customer\xe2\x80\x99s valid\npassport, birth certificate, photograph, and copy of his or her driver\xe2\x80\x99s license.\n7\n  Postal Service (PS) Form 5659, Daily Passport Application (DS-11) Transmittal, is used by Post Office acceptance\nfacilities to log individual passport application activity for the DOS and the Postal Service. For this report, PS Forms\n5659 will be referred to as transmittal forms.\n8\n  Passport Agent\xe2\x80\x99s Reference Guide (PARG) 2011-2012, pages 12 and 18, Item 13 requires employees to store\napplications and documents under lock and key when away from their workstation and keep copies of transmittals in\na secure location, accessible only to designated acceptance agents and the passport program manager.\n\n                                                            2\n\x0cPassport Personally Identifiable Information                                                            HR-MA-14-007\n\n\n\nacceptance agents at the three passport acceptance facilities we visited did not have\ndocumentation to show they completed the required passport acceptance training. Of\nthe 17 acceptance agents\xe2\x80\x99 training records we requested for review,9 management was\nunable to provide training records showing completion10 of either the initial passport\napplication acceptance training or the annual passport application acceptance refresher\ncourse for 11 agents.11 The DOS requires management to verify that all acceptance\nagents have completed training within the past calendar year and new agents have\ncompleted training before accepting passport applications.12 Postal Service policy\nrequires all agency-sponsored training to be recorded in the appropriate electronic\ndatabase.13 The manager, Learning Development and Diversity,14 must maintain\nsupport for non-agency training, including copies of certificates and grade reports.\nDuring our review, management implemented additional procedures requiring\nsupervisors at acceptance facilities to maintain and provide annual passport training\ndocumentation to the DOS.\n\nFigures 1 through 3 show examples of improperly secured passport applications,\ntransmittal forms, and supporting documentation.\n\n     Figure 1: Unsecured Passport Applications and Supporting Documentation\n\n\n\n\n                  Source: OIG photograph taken at a Post Office on November 5, 2013.\n\n\n\n\n9\n  We requested training records for the 17 acceptance agents at the three locations we visited.\n10\n   An acceptance agent has successfully completed training upon completion of the course and required test.\n11\n   Of the 11 agents, all were missing supporting documentation for the initial training and one of the 11 was missing\ndocumentation for the refresher training.\n12\n   PARG, page 8.\n13\n   Employee and Labor Relations Manual (ELM) 36, Section 732.2, page 718.\n14\n   ELM 36, Section 742.4, page 722.\n\n                                                           3\n\x0cPassport Personally Identifiable Information                                         HR-MA-14-007\n\n\n\n\n                            Figure 2: Unsecured Transmittal Forms\n\n\n\n\n                Source: OIG photograph taken at a Post Office on November 7, 2013.\n\n                         Figure 3: Unsecured Supporting Documents\n\n\n\n\n                Source: OIG photograph taken at a Post Office on November 7, 2013.\n\nCustomer Privacy\n\nAt one Postal Service facility we visited, management did not provide customers with\nadequate privacy when processing their passport applications. We observed an\nacceptance agent processing passport applications in the middle window of the main\nretail area, which was highly visible and accessible to customers waiting in line. During\ninteractions with passport customers, the acceptance agent asked them to verbally\nconfirm portions of the passport application, which revealed PII in the presence of other\ncustomers. The acceptance agent stated that agents previously processed passport\napplications in a separate, private area at this facility; however, facility management\nchanged the location and required agents to process passport applications in the retail\narea. Management indicated it would be inefficient to have agents process passport\napplications in a separate area because they would have down time between passport\n\n\n                                                     4\n\x0cPassport Personally Identifiable Information                                                          HR-MA-14-007\n\n\n\nappointments. The PARG requires acceptance facilities to create an area where\ncustomers are afforded privacy when applying for passports.15\n\nDepartment of State Acceptance Facility Oversight Reviews\n\nLastly, we reviewed results from DOS reviews16 and found they identified similar issues\nwith Postal Service acceptance agents safeguarding PII.17 For example:\n\n\xef\x82\xa7    Acceptance agents at 383 of 2,954 Postal Service passport acceptance facilities\n     (13 percent) did not properly secure passport applications and documentation when\n     away from their workstations.\n\n\xef\x82\xa7    Acceptance agents at 920 of 2,954 facilities (31 percent) did not properly store\n     transmittal forms under lock and key.\n\n\xef\x82\xa7    Acceptance agents improperly retained photocopies of passport applications or\n     supporting documentation at 91 of 2,954 facilities reviewed (3 percent).\n\n\xef\x82\xa7    Management did not provide customers with sufficient space to maintain privacy\n     when applying for passports at 64 of 2,954 facilities reviewed (2 percent).\n\nInadequate security and privacy in the passport application process increases the risk\nthat customers\xe2\x80\x99 PII will be compromised. This could have a negative impact on the\nPostal Service\xe2\x80\x99s brand and result in revenue loss if customers elect not to use the\nPostal Service for passport services. We identified about $64 million in annual revenue\nat risk associated with passport acceptance facilities potentially being suspended or\nclosed for noncompliance with DOS procedures. See Appendix B for more information.\n\nPassport Application Procedures\n\nPostal Service officials did not always follow consistent procedures relating to\ntransmittal forms and district management\xe2\x80\x99s roles and responsibilities relating to\npassport acceptance, compliance, and remediation.\n\nPassport Transmittal Forms\n\nAcceptance agents at the three facilities we visited did not always use the transmittal\nform to monitor and record successful delivery of envelopes containing passport\napplications to banking facility lockboxes18 within 7 days, as required. In addition,\n\n15\n   PARG, page 12.\n16\n   These results represent DOS AFO reviews conducted during FY 2013.\n17\n   We reviewed an AFO summary report and determined the DOS identified issues in FY 2012 with proper security of\npassport applications and documentation and proper storage of transmittal forms during two separate reviews at one\nPost Office we visited.\n18\n   The DOS uses banking facilities to complete the initial processing of passport applications, including data entry,\nimage scanning, and payment processing and then they forward applications to Passport Services for further\nprocessing.\n\n                                                          5\n\x0cPassport Personally Identifiable Information                                                            HR-MA-14-007\n\n\n\nacceptance agents did not always obtain independent reviews of transmittal forms to\nensure accuracy and completeness or retain and dispose of the transmittals within\n2 years, as required.19\n\nThese issues occurred for the following reasons:\n\n\xef\x82\xa7    Passport acceptance agents stated they were unaware of the requirement to monitor\n     and record successful delivery of envelopes containing passport applications within\n     7 days. One agent believed the requirement was to monitor delivery every 14 days 20\n     but policy requires acceptance agents to monitor each envelope containing passport\n     applications sent from the facilities within 7 business days until Passport Services21\n     confirms receipt.\n\n\xef\x82\xa7    Management did not have procedures in place to ensure the independent review of\n     completed transmittal forms for accuracy and acceptance agents were unaware of\n     this requirement. The Administrative Support Manual (ASM) requires a supervisor or\n     another employee to review the accuracy of the completed transmittal form and\n     related applications. The reviewer must initial the \xe2\x80\x9cReviewer Initials\xe2\x80\x9d line to indicate\n     concurrence.22\n\n\xef\x82\xa7    A supervisor at one site we reviewed was unaware of the importance of\n     safeguarding PII on transmittal forms.\n\n\xef\x82\xa7    The Postal Service did not have procedures in place to ensure employees retain\n     transmittal forms for 2 years, as required, and the Postal Service has conflicting\n     guidance regarding retention requirements. According to the ASM, employees must\n     store transmittal forms in a secure place to protect the sensitivity of the information\n     and destroy them after 2 years.23 However, Exhibit 892 - Retention Periods for Post\n     Office Forms, which is unique to the online version of the ASM, indicates the\n     retention period for the transmittal forms is 3 months. Postal Service officials\n     confirmed the correct retention period is 2 years.\n\nWe also examined the DOS reviews and found they identified similar issues with\ntransmittal forms. Specifically, acceptance agents did not:\n\n\xef\x82\xa7    Monitor the successful delivery confirmation of each envelope sent to the lockbox at\n     889 of 2,954 facilities reviewed (30 percent).\n\n\xef\x82\xa7    Destroy transmittals after 2 years at 821 of 2,954 facilities reviewed (28 percent).\n\n\n19\n   Acceptance agents at one of the facilities had transmittal forms on file from January 2007, while one facility\nretained transmittal forms for only 3 months.\n20\n   The back of the transmittal form provides thorough instructions on how to complete every section of the form\nexcept for the section relating to monitoring and documenting successful delivery of the envelope.\n21\n   PARG, page 42; and Postal Blue website, Tracking of PPT Mailings.\n22\n   ASM; page 181; Section 422.281(b); Item 8, July 1999; updated through November 28, 2013.\n23\n   ASM, page 182, Section 422.282(c).\n\n                                                           6\n\x0cPassport Personally Identifiable Information                                                          HR-MA-14-007\n\n\n\n\xef\x82\xa7    Keep transmittals for at least 2 years at 1,010 of 2,954 facilities reviewed\n     (34 percent).\n\nWhen transmittal forms are not properly completed, reviewed, retained, and destroyed,\nthe Postal Service increases the risk of inaccuracies, processing delays, and PII being\ncompromised. Also, the Postal Service may lose passport revenue resulting from\npotential site closures for noncompliance with procedures.\n\nPassport Acceptance Policies and Procedures\n\nPostal Service management did not have policies and procedures in place that\nidentified district management\xe2\x80\x99s roles and responsibilities for the passport acceptance\nprogram or addressed deficiencies the DOS AFO reviews identified. Specifically, at one\nsite we visited, district managers were proactively reviewing passports at select\nPremiere Post Office\xe2\x84\xa2 locations24 independent of DOS reviews, while the other two\ndistricts relied on DOS reviews to identify deficiencies and enforce corrective actions.\n\nManagement acknowledged the need for policies and procedures to ensure consistency\nnationwide. District retail managers for all three sites visited stated that no guidelines or\nprocedures existed for districts to address deficiencies identified in DOS AFO reviews.\nImplementing policies and procedures would strengthen internal controls over passport\nacceptance at all Postal Service acceptance facilities, increase district accountability,\nand ensure consistent processes for addressing deficiencies identified in DOS AFO\nreviews.\n\nRecommendations\n\nWe recommend the vice president, Retail Channel Operations, in coordination with the\nvice president, Delivery and Post Office Operations:\n\n1. Ensure all acceptance agents have completed the required passport acceptance\n   training.\n\n2. Require responsible personnel adhere to policies and procedures for appropriately\n   safeguarding customers\xe2\x80\x99 privacy and personally identifiable information associated\n   with the passport acceptance process.\n\n3. Revise the Postal Service Form 5659, Daily Passport Application (DS-11)\n   Transmittal, to include instructions for monitoring and recording the delivery date of\n   the completed passport application on the form.\n\n4. Implement controls to ensure completed transmittal forms are independently\n   reviewed for accuracy and retained as required by Postal Service policy.\n\n\n24\n  The Postal Service has selected 3,100 post offices to participate in its Premier Post Office program, which created\na core of retail offices with the highest customer service skills and best customer experience.\n\n                                                          7\n\x0cPassport Personally Identifiable Information                                 HR-MA-14-007\n\n\n\n5. Revise the online version of the Administrative Support Manual to reflect the correct\n   transmittal form retention period of 2 years.\n\n6. Establish and implement policies and procedures identifying district management\xe2\x80\x99s\n   roles and responsibilities relating to passport acceptance procedures and\n   remediation of deficiencies identified in Department of State reviews.\n\nManagement\xe2\x80\x99s Comments\n\nManagement did not state whether they agreed or disagreed with the findings.\nManagement agreed with recommendations 3, 5, and 6; and disagreed with\nrecommendations 1, 2, and 4. In addition, management disagreed with the revenue at\nrisk calculation.\n\nManagement disagreed with recommendation 1 and stated that their current policies\nrequire annual training. Employees who do not take the annual training are decertified\nand therefore not allowed to accept passports. The DOS provides this information to the\nHeadquarters\xe2\x80\x99 Passport program manager as well as the local Post Office notifying\nthem of employees not in compliance. Employees that complete the training are\nrecertified.\n\nManagement disagreed with recommendation 2 and stated that policies and procedures\nare already in place requiring employees to safeguard PII. Management continually\ncommunicate to employees the need for information security and has recently issued\nadditional guidance reminding employees of the importance of safeguarding PII.\n\nManagement agreed with recommendation 3 and will revise PS Form 5659 to include\ninstructions for monitoring and recording the delivery date of the completed passport\napplication on the form by May 30, 2014.\n\nFurthermore, management disagreed with recommendation 4 and stated the ASM\nalready requires a supervisor or another employee to review the accuracy of the\ncompleted transmittal form and related applications. The reviewer must initial the\n"Reviewer Initials" line to indicate concurrence. PS Form 5659 also has instructions to\ncomplete the form.\n\nManagement agreed with recommendation 5 and stated they took corrective actions on\nMay 5, 2014, to ensure the correct transmittal form retention period.\n\nManagement agreed with recommendation 6 and stated they will work with the DOS to\ndevelop a standard operating procedure that outlines the roles and responsibilities of\nthe DOS and the Postal Service in regard to handling passports. The target\nimplementation date is May 30, 2014.\n\nRegarding the $128 million in revenue at risk, management disagreed with the\nmethodology used and stated the calculation was based on 2 year old data.\n\n\n                                               8\n\x0cPassport Personally Identifiable Information                                   HR-MA-14-007\n\n\n\nAdditionally, management stated the OIG is using DOS audit results out of context\nbecause the requirements are answered/corrected after each audit. See Appendix C for\nmanagement\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments to recommendations 3, 5, and 6\nresponsive and corrective actions should resolve the issues identified in the report.\n\nHowever, we consider management\'s comments to recommendations 1, 2, and 4\nnonresponsive because they did not address the actions needed to resolve the issues\nidentified. Management disagreed with the recommendations and stated that current\nPostal Service policy exists to address each recommendation. While we agree that\ncurrent Postal Service policy exists and we identify those policies in our findings, our\nrecommendations are for management to take corrective actions to ensure responsible\npersonnel comply with policies and procedures. As such, we view the recommendations\nas unresolved, but do not plan to pursue them through the audit resolution process. We\nwill work with management to develop a mutually agreeable resolution.\n\nRegarding recommendation 1, management did not provide documentation to show that\n11 of 17 acceptance agents at the three locations visited completed the required\npassport acceptance training, either the initial Passport Application Acceptance training\nor the annual Passport Application Acceptance Refresher course. Although\nmanagement strongly agree that training is required, they did not address how they will\nensure compliance with the training requirement.\n\nRegarding recommendation 2, the OIG agrees that management has disseminated\nadditional guidance to the field regarding safeguarding PII; however, our\nrecommendation addresses the need to ensure acceptance facilities have an area\nwhere passport customers are afforded privacy when applying for passports, which\nmanagement did not address in their comments.\n\nRegarding recommendation 4, we agree that current Postal Service policy exists\nrequiring the independent review and retention of transmittal forms. Management did\nnot address our recommendation to implement controls to ensure employees are\nfollowing the policy.\n\nRegarding our revenue at risk calculation, the OIG used the latest DOS data available,\nwhich was for FYs 2012 and 2013. We used 2 years\xe2\x80\x99 worth of data because the DOS\nvisits each acceptance facility at least once every 2 years. If an acceptance facility does\nnot comply with policies for safeguarding PII, the DOS may suspend or close it. In\naddition, management does not have established procedures in place to address\ndeficiencies identified in the DOS reviews. Because internal controls were not sufficient\nto ensure the safeguarding of PII and address deficiencies, revenue was at risk.\n\n\n\n\n                                               9\n\x0cPassport Personally Identifiable Information                               HR-MA-14-007\n\n\n\nBecause management has taken corrective actions to resolve recommendation 5, we\nare closing the recommendation with issuance of this report. For recommendations 1, 2,\nand 4, we request additional information from management to address corrective\nactions planned or taken to resolve the issues identified in the report. The OIG\nconsiders all the recommendations significant, and therefore requires OIG concurrence\nbefore closure of recommendations 1 through 4 and 6. Consequently, the OIG requests\nwritten confirmation when corrective actions are completed. These recommendations\nshould not be closed in the Postal Service\xe2\x80\x99s follow-up tracking system until the OIG\nprovides written confirmation that the recommendations can be closed.\n\n\n\n\n                                               10\n\x0cPassport Personally Identifiable Information                                    HR-MA-14-007\n\n\n\n                                   Appendix A: Additional Information\n\nBackground\n\nThe OIG received a request on April 9, 2013, from the office of Duncan Hunter, U.S.\nCongressman from California, regarding a constituent\xe2\x80\x99s concern with Postal Service\nprocedures for handling PII. In November 2012, the constituent and her daughter\napplied for passports at a Post Office in San Diego, CA. The mother received her\npassport in about 10 days; however, unit personnel found the daughter\xe2\x80\x99s application\nunsecured at the Post Office 23 days after it was accepted and personnel at a Tucson,\nAZ, Post Office subsequently misfiled it for 10 days before redelivering it to the regional\npassport office. The Postal Service reimbursed the family for costs associated with the\ndelay in service. The Postal Service\xe2\x80\x99s Consumer and Industry Contact and OIG Office\nof Investigations conducted independent investigations, but neither found evidence the\nPostal Service compromised the PII in question.\n\nThe Postal Service, in coordination with the DOS, establishes procedures for passport\napplication acceptance at the 5,37225 Postal Service passport acceptance facilities\nnationwide. Each passport application is accepted by authorized Postal Service\nemployees who have successfully completed the initial and yearly refresher passport\ntraining courses. Employees can take the courses either online in the Postal Service\xe2\x80\x99s\nLearning Management System or in a classroom the DOS provides. The initial Passport\nApplication Acceptance course is an 8-hour mandatory course intended for employees\nnewly assigned to passport acceptance duties. The yearly passport application\nacceptance refresher course is a 2-hour mandatory course for employees currently\naccepting passport applications.26\n\nAcceptance agents process passport applications at designated Postal Service\npassport acceptance facilities. At the end of each business day, agents mail passport\napplications with transmittals to the DOS and retain copies of the transmittals in a\nsecure location at the facility. The Postal Service accepted 5.7 million passport\napplications and earned $142.1 million in passport fees in FY 2012 and accepted\n5.3 million applications yielding $133.2 million in fees in FY 2013. The Postal Service\nalso generates revenue from its passport photograph services.\n\nThe DOS conducts scheduled official onsite reviews at Postal Service passport\nacceptance locations as part of its AFO program. The program monitors acceptance\nfacilities\xe2\x80\x99 compliance with the PARG and other consular affairs/passport services\nprocedures. The reviews address key areas such as acceptance and information\nsecurity procedures, supplies, and training. The DOS sends the results of its reviews to\nunit, district, and area management. Well publicized disclosures of U.S. citizens\xe2\x80\x99 PII by\nthe federal government and its employees have resulted in heightened scrutiny of\nagency information security and privacy programs. Although the federal government is\nmaking strides to protect against privacy breaches, Federal Information Security\n\n25\n     As of March 25, 2014.\n26\n     Postal Blue website, Customer Service Operations and Retail.\n\n                                                          11\n\x0cPassport Personally Identifiable Information                                                        HR-MA-14-007\n\n\n\nManagement Act27 reports indicate the prevalence of federal privacy breaches. The\npotential adverse impacts of a privacy breach is a key motivator for the federal\ngovernment to enhance efforts to comply with privacy regulations and protect the\nprivacy of citizens and noncitizens.\n\nObjective, Scope, and Methodology\n\nOur objective was to evaluate the Postal Service\xe2\x80\x99s procedures to protect and secure PII\non passport applications. To accomplish our objective, we:\n\n\xef\x82\xa7    Reviewed passport application data for FYs 2012 and 2013.\n\xef\x82\xa7    Conducted site visits at three passport acceptance units.28\n\xef\x82\xa7    Interviewed management at headquarters and in the field.\n\xef\x82\xa7    Interviewed DOS personnel.\n\xef\x82\xa7    Obtained and reviewed DOS passport acceptance site review results.\n\nWe conducted this review from October 2013 through May 2014, in accordance with the\nCouncil of the Inspectors General on Integrity and Efficiency, Quality Standards for\nInspection and Evaluation. We discussed our observations and conclusions with\nmanagement on March 25, 2014, and included their comments where appropriate.\n\nWe assessed the reliability of the passport application data from the Enterprise Data\nWarehouse (EDW) by confirming our analysis and results with management and other\ndata sources. In addition, the OIG tests the financial information in the EDW as part of\nits annual financial statements audits. We assessed the reliability of the DOS\' site\nreview data by interviewing DOS officials and analyzing source documentation to\nconfirm the validity of the data. We determined that the data were sufficiently reliable for\nthe purposes of this report.\n\nPrior Audit Coverage\n\nThe OIG issued Financial Controls Over Passport Applications (Report Number FF-AR-\n11-011, dated July 27, 2011), which details three areas where the Postal Service has\nopportunities to enhance its financial controls over passport applications and revenue\nassociated with fees collected.\n\n\n\n\n27\n  Federal Information Security Management Act of 2002, Public Law 107-347.\n28\n  The         Post Office in           is where the incident occurred. We judgmentally selected the           Post\nOffice in         and the              Station in         , based on the high volume of passport applications\nprocessed at these locations during FY 2013.\n\n                                                        12\n\x0cPassport Personally Identifiable Information                                    HR-MA-14-007\n\n\n\n\nSpecifically, the Postal Service needs:\n\n\xef\x82\xa7   A reconciliation process for collecting and reporting application fees collected at\n    acceptance facilities.\n\n\xef\x82\xa7   Improved controls over fees collected for passport photographs.\n\n\xef\x82\xa7   A re-evaluation of the fee charged for passport photographs.\n\nManagement did not agree to develop a reconciliation process with the DOS; however,\nthey did implement a Point-of-Sale system update they believe will increase the\naccountability of passport fees. Management stated they would evaluate options to\nimprove accountability, reduce the risk of having uncollected revenue associated with\nphotograph fees, and re-evaluate the fee charged for passport photographs.\n\n\n\n\n                                               13\n\x0cPassport Personally Identifiable Information                                                                HR-MA-14-007\n\n\n\n\n                                          Appendix B: Other Impact\n\n          Recommendation                         Other Impact Category                            Amount\n               1-6                                 Revenue at Risk29                            $128,351,511\n\nThe DOS conducts reviews at Postal Service passport acceptance locations every\n2 years as part of its AFO program. The reviews address key areas such as acceptance\nand information security procedures, supplies, and training. DOS management\ndiscusses review results with unit management and sends corresponding reports to\nacceptance facilities\xe2\x80\x99 district and area managers. The DOS revisits the facilities with\nidentified deficiencies within 6 to 12 months to determine whether management\ncorrected the issues. Continuous noncompliance can lead to the DOS recommending a\nsite be suspended from participating in the passport program.30 The DOS determines\nremoval of a facility from the program on a case-by-case basis, based on the level of\negregiousness.31\n\nDuring FYs 2012 and 2013, DOS reviews identified 3,278 Postal Service passport\napplication acceptance locations with deficiencies relating to safeguarding PII. We relied\non DOS AFO review results, in conjunction with the Postal Service\xe2\x80\x99s passport\napplication and photograph volume data, to calculate revenue at risk (other impact).\n\nThe DOS can recommend the suspension or removal of a Post Office from the passport\nprogram if management does not correct the deficiencies regarding safeguarding PII\nidentified in DOS reviews. Consequently, the Postal Service risks losing $103,603,203\nin revenue annually and $207,206,405 over a 2-year period if these acceptance\nlocations are suspended or closed.\n\nFor this report, we took a conservative approach and used net revenue32 to calculate\nother impact. As a result, the Postal Service risks losing $64,175,756 in net revenue\nannually and $128,351,511 over a 2-year period.\n\nTo determine revenue at risk, we used the following methodology:\n\n\xef\x82\xa7    We estimated the Postal Service generates a net profit of about $14.82 for each\n     passport application it processes and about $10.76 for each passport photograph it\n     sells.\n\xef\x82\xa7    We analyzed the Postal Service\xe2\x80\x99s passport application data and DOS AFO review\n     data for FYs 2012 and 2013 and determined that 6,517,655 passport applications\n\n\n29\n   Revenue the Postal Service risks losing.\n30\n   Passport Services, a directorate within the DOS, may suspend the facility until further notice or until the facility is\ndeemed to be in compliance with all regulations.\n31\n   DOS officials can recommend the closure of a facility based on the level of egregiousness. However, the DOS\nCustomer Service manager, in coordination with Postal Service officials, ultimately makes the final decision.\n32\n   Money earned after all expenses have been deducted from the total revenue.\n\n                                                             14\n\x0cPassport Personally Identifiable Information                                                        HR-MA-14-007\n\n\n\n     (60 percent) and 2,951,002 passport photographs (58 percent) were processed at\n     3,278 facilities that were noncompliant with at least one PII procedure.33\n\xef\x82\xa7    We calculated net revenue at risk of $64,175,75634 annually if these Postal Service\n     passport acceptance facilities are suspended or closed for continuous\n     noncompliance.\n\xef\x82\xa7    We calculated net revenue at risk of $128,351,511 for a 2-year period.\n\n\n\n\n33\n   Noncompliance with any procedure relating to safeguarding PII may result in DOS closing the noncompliant Postal\nService passport acceptance facility.\n34\n   Consists of $48,295,824 (3,258,828 applications x $14.82 passport application profit) and $15,879,932 (1,475,501\nphotographs x a $10.76 profit per photograph).\n\n                                                        15\n\x0cPassport Personally Identifiable Information                    HR-MA-14-007\n\n\n\n\n                            Appendix C: Management\xe2\x80\x99s Comments\n\n\n\n\n                                               16\n\x0cPassport Personally Identifiable Information        HR-MA-14-007\n\n\n\n\n                                               17\n\x0cPassport Personally Identifiable Information        HR-MA-14-007\n\n\n\n\n                                               18\n\x0cPassport Personally Identifiable Information        HR-MA-14-007\n\n\n\n\n                                               19\n\x0c'